These tests would have failed if any image had a USER declaration in it,
but because the test image never has, these were never caught. Adding
supplemental GIDs on any image revealed the issue.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
If we are using an image config, we should by default add any additional
GIDs that are found from reading /etc/group, even if the default user is
root.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Many of the setup/dev programs installed are not used because no testing
is executed on GOOS=darwin builds. Makes sense to remove them and make
darwin runs much shorter.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Add flag and With-helper to set NoNewPrivileges to false since it is on
by default in the default UNIX spec for containerd, but off by default
in Docker and CRI plugin use. This allows for easy testing with it off
for comparison.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
This is the maintained version of boltdb, which includes the Windows-specific fix
detailed in https://github.com/etcd-io/bbolt/pull/122
This has releases, and the vendored version is very old predating
the change from LGPL to Apache licensing.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Can be used to conform to Docker engine behavior of adding additional
GIDs to spec when found in /etc/group of image filesystem
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This allows users to consume the install functionality but also install
to other areas instead of the managed `/opt` dir.
```bash
> ctr install --path /usr/local
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
func (e *execProcess) delete(ctx context.Context) error {
e.wg.Wait()
...
}
delete exec process will wait for io copy finish, if wait here,
other process can not get lock of shim service.
1. apply lock around s.transition() calls in the Delete methods.
2. put lock after wait io copy in exec Delete.
Signed-off-by: Ace-Tang <aceapril@126.com>
This makes sure that runc does not get any valid IO for the pipe. Some
builds and other containers will be stuck if they inspect stdin
expecially and its a pipe but not connected to any user input.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
